Is UAC broken in Windows 7?

Bloggers Long Zheng and Rafael Rivera have found what appears to be a serious failing in the emasculated version of User Account Control (UAC) that Microsoft is including in Windows 7: Apparently, it doesn’t work and is very easy to bypass. So easy, in fact, that Zheng and Rivera were able to write up a quickie Visual Basic Script (VBScript) that can compromise a Windows 7 PC. Microsoft’s response so far: “This feature works as intended.” This has the makings of a fight.

This is dedicated to every ignorant “tech journalist” who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 to make it “less annoying” inadvertently clears the path for a simple but ingenius override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided.

By default, Windows 7’s UAC setting is set to “Notify me only when programs try to make changes to my computer” and “Don’t notify me when I make changes to Windows settings”. How it distinguishes between a (third party) program and Windows settings is with a security certificate … The Achilles’ heel of this system is that changing UAC is also considered a “change to Windows settings”, coupled with the new default UAC security level, would not prompt you if changed. Even to disable UAC entirely.

The implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc.

Beta users of Windows 7 can also apply a simple fix. Changing the UAC policy to “Always Notify” will force Windows 7 to notify you even if UAC settings change. Annoying, but safe.

Put another way, “annoying but safe … Like it was in Windows Vista. And is in Mac OS X, by the way.”

Windows 7, however, now ships with UAC configured to hide prompts when users change Windows settings. While this mode still ensures normal applications can’t overwrite your entire registry hive, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts. Yes, you can even change UAC settings, allow applications free reign in elevated mode (after the required restart).

An obvious fix for this “issue” would be to force the adjustment of UAC parameters to be confirmed by a human. Until Microsoft addresses this “issue”, you can set UAC to its highest mode to kill any concerns you may have… but you’re not using this in a production environment anyway – right?

Discuss this Article 82

This is a major hurdle in Windows 7. Customers that have bought systems from me (with Windows Vista) don't have the same number of problems with malware that XP has. It's just very uncommon. I provide documentation outlining features in Windows Vista, and UAC is one of them. Customers that choose to follow the recommended option of using a limited user account by default have few problems, if ever. Customers that use an admin-level account also have few problems, but still want to have that G0D trip are still protected somewhat.
I've had exactly 2 customers in the last ~3 months with spyware problems on Windows Vista. Both had UAC disabled because they thought it was annoying. Guess what? They're now paying $100 each for a malware cleanup. How less annoying is that?
This has already been addressed by many people though. This article is my favourite:
http://blogs.msdn.com/cjacks/archive/2009/01/07/the-windows-7-uac-slider...
"Now, my friend Crispin would prefer a different UI metaphor than a slider – he’d like to see a pair of pants – the further down you pull the slider, the further down your pants are while you’re computing. I actually think that’s a really good analogy."
PS: If the OPK allows it, I'm setting the Windows 7 UAC to the Vista default on new installations when I start building systems with it.

Dear Microsoft,
Don't listen to those malcontents who say that Vista is crap and user unfriendly, those are Apple fan bois or other losers who NEVER used Vista.
Now listen (for a change) to a Vista user, who has been using Vista for over a year. I like Vista security, I've never complained about UAC, because I know that either you have user friendly system or secure system. So please go back to Vista UAC.
Sincerely,
djRob

One of the first things I did in Win 7 was to ramp up the security with the slider in the new UAC. Although annoying for new installs I have come to prefer the security blanket of UAC as opposed to "Ridden Dirty" with UAC turned off. I run as a limited user when I was using a Unix based OS and the experience is similar .
People running XP as administrators, surfing blindly on the internet, and not patching their OS or security software are the reason so many computers today get compromised. The advantage from day 1 of Vista was the ability to run as a limited user and still install software when you wanted. Users who complain about UAC are the ones who end up getting hosed, just as Waethorn stated.

Whats funny is I have never found UAC in vista to be overly bothersome after a few weeks. These days I get bugged more by my Mac to enter my password then UAC ever pops up on my screen. and atleast UAC is just a mouse click.

"Users who complain about UAC are the ones who end up getting hosed, just as Waethorn stated."
It's the ones that complain because they don't know what it's for. A little understanding is all it takes. When I explain what it's for, users realize that they benefit from having it there.
Here's a big burning question though: With Windows 7 offering different levels of UAC, what does that mean for IE's Protected Mode?
Anybody got any thoughts on this?

I complain about the UAC in Vista -- it obnoxiously slows things down *and* prompts me at the strangest things! Why (oh, why) would I need to "approve" the deletion of a shortcut on the desktop??? HONESTLY??! I just shake my head and sigh.
That said, I still leave it on because it is an appropriate security measure. The UAC in Win7, however, has been a real pleasure -- notifying me at appropriate times, while not bogging the system to do so. Still, I don't see ANY REASON WHATSOEVER that changing the UAC shouldn't prompt me via the UAC. It just makes sense!
Similarly, our Netflix account is "locked down" to only allow PG-13 ratings and below. I wanted to add the "Hardy Boys TV Series" which is NR, but (strangely) it wasn't allowed. I prompted for a password to add it, but I didn't remember what the password was -- my wife does, however. Instead, I just clicked on our "Account Settings" and changed it to allow *All Movies*. Guess what? Changing THAT setting didn't prompt me for a password! Wha?? Same kinda crap, and really stupid.
I gotta remember to take this up with Netflix.

"atleast UAC is just a mouse click"
I do find that some programs have a slight bug with the UAC popup in that options may require a second press after getting past the UAC prompt.
One program in particular is OneCare. When OneCare's firewall option comes up when it detects a new network, it has the Home/Work & Public network option. Those are system-level options so obviously they require UAC. Understood. What I don't understand is that when you click the option, then get past the UAC prompt, it pops up a second time with the same options, sans UAC lock. THAT'S the annoying part.

As a long time XP and Vista user, the old days of using XP on pins and needles was more of a hassle than a pleasure. XP could be compromised is so many different ways, you had to two different tools of anti-spyware and a competent anti-virus. IE 6 was like the opening of Pandora's box. You never knew what was going to escape. However, IE 7 did really help the situation in XP. However an 8 year old code base with deep flaws needed to be changed.
As much as the Vista bashers hate the OS, most of them have not actually used the OS for a 30 day period to get a good evaluation. Yes it has its issues, but Leopard has had its share of issues. SP1 has made the OS very stable and useable. The UAC does its job very well. To me, I'm use to the one click to authorize when I'm installing software or an Web application. But I very much aware of what I'm doing when I authorize the UAC. At least we're not having enter an admin level password in certain situations for such changes. That would be truely annoying.
However, this has to be tackled aggressively. UAC is the deflector shield for the OS. Its really is Windows Vista's and 7's second line of defense. The first has to be the firewall. Thats why my router's firewall is turned on along with the latest in wifi protected access (WPA 2). That's backed up by Vista's firewall.
I'm glad it was found at this point, so that it can be fixed before it becomes a public OS. This is why that girl advocating the release of Windows 7 in its current form should be ignored. This OS is still at the beginning of the Navy would call a "Shakedown Cruise" to work out all the bugs. Three weeks into this shakedown cruise, we are seeing both the potential and the pitfalls. Windows 7 does need to go back to the drydock for some work but she is seaworthy.

"Why (oh, why) would I need to "approve" the deletion of a shortcut on the desktop???"
The only reason is because the shortcut is in the All Users folder, not just your own. Any setting that affects all users will give you a UAC prompt.
When you install multi-user aware apps and choose to install it thusly, shortcuts on the desktop get created in the All Users desktop virtual folder. If you install for only yourself, the shortcuts only get put in your own Desktop folder, so deleting them won't prompt with UAC.
That's why.

"I can't get the Feedback thing to work! I'm part of the Connect site, so what am I missing???"
The "Send Feedback" link in Windows 7?
You need a product key, and you need to activate your beta, otherwise the link clearly states that they won't accept feedback. (I don't know if that has any bearing on CEIP or not)
If you have a hardened firewall, that may deter communications too.

yipcanjo said:
" Still, I don't see ANY REASON WHATSOEVER that changing the UAC shouldn't prompt me via the UAC. It just makes sense!"
This seems like the obvious solution to me. I think if's well and appropriate that the user should be able to adjust, say, the clock settings without being bugged by UAC, but no one (user, app, whatever) should be able to change the UAC settings without a prompt.

"These days I get bugged more by my Mac to enter my password then UAC"
If I were you I would worry that I have a Trojan or something like that. OSX only prompts you for password on major App install that install stuff in the Library folder or for system updates...

"IE 6 was like the opening of Pandora's box....IE 7 did really help the situation in XP"
Actually, it was SP2's options that introduced those safe browsing behaviours. Those were for IE6. IE7 didn't really do much to change that. It was mostly a feature release.
"SP1 has made the OS very stable and useable"
Again, it wasn't so much SP1, but the application compatibility and performance updates that preceded it that made it better. SP1 just included them.
"Thats why my router's firewall is turned on along with the latest in wifi protected access (WPA 2)"
WPA2 is only good if you use AES encryption. Many routers allow you to swap WPA and WPA2 with TKIP and AES encryption, which isn't part of the official spec. Also, using the "WPA+WPA2" mode won't help, since the WPA mode almost certainly is using TKIP, which is much easier to hack.
If you want hardened protection, using WPA2(AES) with a RADIUS authentication server is the way to go. That takes a lot of work though, and requires an access point that supports RADIUS, as well as an actual server to do the certificate exchange with domain-joined clients.
"This is why that girl advocating the release of Windows 7"
Kelly is a guy actually.

"The only reason is because the shortcut is in the All Users folder, not just your own. Any setting that affects all users will give you a UAC prompt."
Yeah but still it's a design flaw. If the icon is on your desktop and you have an admin account, you should not be prompted to delete a file in your own folder...

I'm not familiar with OS X, so I asked my Mac-loving brother about UAC.
He says Macs don't have it. He says he's been using OS X for 8 years, and the only time the Mac asks for his password is when he installs software.

"the user should be able to adjust, say, the clock settings without being bugged by UAC"
That's a system setting, so it requires UAC. It affects all users, and can also have adverse effects on software too. You CAN change the time zone per user though, since it doesn't actually change the time - it just offsets it.

I for one do not like the UAC changes in Windows 7. I think that it should be set the "Always Notify". If most people had that turned on, I wouldn't have to spend my weekends reloading XP for friends who have torched their machines with Malware.
For all the people that comlained about Vista, you got what you wanted, a far less secure OS.

"If the icon is on your desktop and you have an admin account, you should not be prompted to delete a file in your own folder..."
It's not in your own folder though - it's redirected from the All Users folder. Windows doesn't make copies of the All Users folder into each user folder as that would be redundant. What it does is apply shortcuts from All Users, in combination with the user's own desktop shortcuts. You don't know where those shortcuts are unless you check the properties or try a system command, like deletion (users shouldn't need to know that anyway).
It's not a design flaw either. It reduces redundancy.
"has anybody, unlike me, EVER had uac catch an illegitmate process trying to mess things up?"
It doesn't recognize the difference between "legitimate" and "illegitimate", it only recognizes the difference between system (affects all users) or user-level commands and programs.
User privileges 101: When you log into Windows Vista, the filesystem gives you this little sandbox that consists of your "home" folder (the folder under x:\Users that is your login name) and all your standard storage folders under it. That's the Documents, Pictures, Music, etc., folders. You can write what you want in there. *nix users should be all too familiar with this concept. Deviating outside of that on the system drive usually affects all users. Similarly, there are options that you can change for your own login only (personalization options such as wallpaper, screen saver, etc.) which don't require UAC. Any setting outside of that will, however.
Of course, to change any system-level setting, you either need to be an administrator, or UAC will prompt for an administrator to enter their credentials (choose their name from a list and enter their password).
The Windows security Best Practice is to only have ONE administrator level account that IS NOT used for day-to-day purposes WITH A STRONG PASSWORD, and have all users log in under limited user accounts for normal usage. Passwords should also be used by all users.

@ Wae,
Some websites I read was reporting it as a girl. If its not, mea culpa. Whole hearted apologies. I still think the call to launch 7 is a bit premature.
I would have to disagree with you about SP 2, because there were still issues with XP security long after SP2 was out. There were a string of issues with IE 6 because I would sit there letting Windows Update patch issue after issue with IE 6. You can't tell me that the security issues did not persist long after SP2. SP2 was launched August 6, 2004.
After SP2 was the Zotob worm, Nyxem, Stration, W32 Storm/ aka Storm Worm, etc. So SP 2 was a nice stopgap measure, it didn't cure the problems.
IE 7 had all those issues resolved as well as new features that helped security.
My router doesn't allow WPA and WPA 2 at the same time. Only network cards using WPA 2 can be used, because WPA network cards and adapter's have failed to connect to the network. I've tested this frequently to make sure.
The router also locks out other computers by identification of authorized mac address.

"You have locks on your door. Are people annoyed when it requires a metal key to let you in?"
I like the pants analogy better. It's funny.
"For all the people that complained about Vista, you got what you wanted, a far less secure OS."
....straight out of Deliverance.
*cue banjo*
:P

"After SP2 was the Zotob worm, Nyxem, Stration, W32 Storm/ aka Storm Worm, etc. So SP 2 was a nice stopgap measure, it didn't cure the problems. IE 7 had all those issues resolved as well as new features that helped security."
IE6 had security issues later, there's no doubt. So did IE7. So does Windows. You need to check your security info tho: those worms attacked systems that were missing a specific Windows update. It didn't matter what browser you had. What SP2 did was curb drive-by downloads because of the extra ActiveX prompting and download blocker. That wasn't an IE7-specific feature at all. That was the major stepping stone in IE security though, because it meant that if you clicked on a link that led you to a malicious website, the site would be much less likely to be able to install software automatically due to flaws in the handling of ActiveX security certificates, which can be bypassed. IE7 only added what I would consider minor security additions such as the anti-phishing notification.
"Only network cards using WPA 2 can be used, because WPA network cards and adapter's have failed to connect to the network. I've tested this frequently to make sure."
Windows Vista reports WPA2 access points. You can confirm whether or not WPA works by changing the properties of the wireless network connection to WPA[1](TKIP) with the same password. If it does, you need to lock it down a little harder in your router web interface.
BTW: A Sony PS3 will have problems connecting to WPA2(AES) when you use WPA+WPA2. It will only work with WPA1(TKIP) in that scenario. The PS3 seems fairly buggy with WPA2 in other scenarios too. I've tried this with routers from every major manufacturer, so I conclude that it's a problem with the PS3.
"The router also locks out other computers by identification of authorized mac address."
That's not hard to fake actually. Many routers allow a MAC address of all zeros to connect. MAC address filtering should never be considered a "security feature", because it's not. Many wireless cards can just scan connected MAC's and then you can modify the network card MAC to match one that's already connected.

@sub:
One of the key additions to XP SP2 was the Attachment Execution Service which tracks the origin of a file and prevents it from executing automatically. That was part of what I mentioned in IE6 SP2.

@Waethorn - "It doesn't recognize the difference between "legitimate" and "illegitimate""
I think that what radamanthyspl was asking was if anybody has ever seen UAC catch a process that was initiated by a piece of malware? I haven't...but like others here, I have several layers of protection before it even gets to UAC.
--tayme

"The UAC does its job very well. To me, I'm use to the one click to authorize when I'm installing software or an Web application. But I very much aware of what I'm doing when I authorize the UAC. At least we're not having enter an admin level password in certain situations for such changes. That would be truely annoying."
LOL! UAC is a very good move for MS. Its implementation is HORRIBLE. Because of the way its done, Joe User figures out how to either turn it off, or just clicks through repeated ok's....like they did with XP and a software install. THAT IS BAD!!!!
OS X and Linux do it right. Much fewer prompts, no diming of the screen (that seems to kill systems with slower CPU's/video cards on Vista) and ALWAYS asking for a password. Nothing SCREAMS security more than asking you for your password.
Windows 7 needs to tweak UAC to be OS X like. BTW there is a cool free product called tweak UAC for Vista.
Also via the registry you can tune UAC to always prompt for a password even as an amdin, and to not do that stupid screen dimming effect that seems to give most Vista boxes a heart attack.

@Waethorn, @tayme
Right there, I'm not debating wheter or not it differentiates between "legitimate" and "illegitimate", I was asking just out of curiosity whether uac has ever saved anybody here.
I've seen it asking my authorisation to actions I inititated countless times, while never have I seen a uac window pop up while I was watching a movie, reading a blog or whatever.
And as tayme said, i too have many a layer of protection, but even in the case of malware being caught, security suite disarmed the culprit before I could see uac react in ANY way.

@Lindy,
I have to agree with you that the implementation of UAC in Vista is horribly done. However, working with that inperfection isn't as hard as many would make it to believe.
However, I would disagree with you that frequently asking for your password would make you anymore safe. You need to be aware of whats going on. If you're just web browsing and all of a sudden you're asked for your computer's password, if you didn't know any better like a lot of users, you could un-intentionally compromise your own system. Much like the iWork 2009 and Photoshop CS 4 pirated copies did. The password alert didn't make users any more protected. This is part of the computer behavoral studies people are looking at. To some folks, they believe the prompting of a password makes it more safe. That can easily be spoofed by any competent virus or code writer.

Like some others here, I looked at Win 7 UAC early on, and concluded I didn't trust the lower settings. Mine is cranked to the top where it belongs.
As to the seeming "Working as intended" response from Microsoft: if that is really the official and long term answer, the person who intended it to be that way made an idiotic decision, probably by not thinking through scenarios. It always surprises me that really smart people--that covers the vast majority of the folks at Microsoft--miss things like this.

"I was asking just out of curiosity whether uac has ever saved anybody here."
It's all up to the user as to whether or not they allow the process to run. I have had calls from a few people where they didn't know if they should allow a P2P file-sharing program to let other programs install so I'm guessing it works. Luckily they stopped at that point to give me a call. I also talked them out of using P2P file-sharing programs since they wanted to download pirated music with it, and I've already had many computers in with MP3's downloaded from Limewire and the like, infected with ID3 tag trojans.
subzero has good info about this too.
The point about the whole thing is to make users aware of what's going on. If they don't understand what it is and just ignorantly allow it, it's their own undoing. Anti-malware software should catch the rest though.
Sometimes UAC just helps alert the user to a configuration option that they maybe shouldn't be playing around with. I get the odd user that likes to play around with MSCONFIG, and disables half of the services and then wonders why they can't do certain things like print, or burn a CD.

I think the reason that we don't see illegitimate applications ask for UAC is that generally users on here are very savvy. No matter whether I am using XP, Vista, or 7 (or pre-2001, 95/98), I don't encounter any malware problems. I'm protected, but AVG or VSE is just sitting there never actually blocking anything. It's called safe browsing and computer practices. Something I think we all know, but it is something that is hard to teach to users.
Now, MS needs to take care of this situation, since it is a flaw. I know I've mentioned this before, but it is a good analogy. It is like the Simpsons episode where Mr. Burns wants to shut down the power to the town, and he and Smithers go through a couple of high security measures to reach the off button, which happens to be in a shack with a screen door hanging off of it with a dog inside. Same thing with leaving UAC naked like this.

"Why can't they get rid of UAC altogether? If we rely on AV suite, isn't it enough?"
No.
UAC prevents system settings from being modified automatically.
AV software identifies malicious software.
They both work towards the same goals but are completely different in their approach.

Unless UAC prompts me for a password by default, it's still useless. That is why it sucks in Vista - not the frequency of appearance, not speed, but the simple fact that is seems redundant - it's a button click. At least a a password entry justifies its existence to some extent. A button seems a a waste of time

"But the upcoming version (free) of OneCare should have the ability to block system settings from being modified. In fact most decent AV suite does that."
Most just offer those features for the sake of XP users. What they do is take over the task of UAC in order to brand the entire experience. Symantec is one of those companies that wants to brand EVERY security experience on the computer to gain the trust of the user. They do that, even if Windows already provides that functionality. It's one of the reasons why they wanted Microsoft to open up the kernel PatchGuard in Vista SP1.
OneCare doesn't attempt to take over control of UAC either - it allows Windows Vista to handle it by itself.
Moving forward though, XP is a poor choice for an operating system.

Veteran users should also have a mindset of security and OS'es as perpetural "Works In Progress." I learn something new just reading this blog. From every user and point of view, our use and how we attack security continues to evolve. Wae, Dipsh t, DRWAM, and other's have taught me things that I was greatful and humbled to learn. If we are always learning from each other, we can build a better community.
I even learn from Lindy, Tayme, and many of our resident Mac users. If we are static and just doing our own Windows thing, but not learning from both the successes and failures on both Windows and the Mac side, whats the point of any of this? We should constantly be hungry for new info, better ways of doing things, and just staying alert.
The guys looking to compromise our systems do not take a rest. However, this has identified an urgent problem in our education systems. Computer Literacy is a big issue that needs to be addressed. People aren't patching their machines. They don't know what to look for. I was lucky to actually have an 8th grade computer literacy class and High School Visual Basic class. College also had plenty of courses to help. However, a lot of schools at the middle school and high school level do not offer these courses. Its something that we should all be pushing our elected officials to promote and change.

@darkmax
For some reason this reminds me of an old Bill Hicks' routine:
- Believe in me or go to hell!
- Thank you, forgiving Lord, for all these... options
@Waethorn
Guess you're right. If you look at it this way, uac just protecs people from themselves. Wouldn't that be just a perfect reason for some to shut it off?

"Unless UAC prompts me for a password by default, it's still useless. That is why it sucks in Vista - not the frequency of appearance, not speed, but the simple fact that is seems redundant - it's a button click. At least a a password entry justifies its existence to some extent. A button seems a a waste of time"
The point of the UAC prompt isn't actually the OK button, it's the Cancel button. It gives a clear point where the user can STOP what's going on, rather than really approving it. Approving it is just saying, I don't want to stop what's happening".

What I Use

Like many, I was hoping to see a new Lumia flagship before the end of 2014, and while I was pleasantly surprised in some ways by both the Lumia 735 and 830, neither offers the level of performance or best-in-market camera quality I had come to expected from Microsoft/Nokia's high-end devices. So I pulled the trigger on an unlocked Windows Phone flagship that will hopefully take me through at least the first half of this year. Or until Microsoft gets off its low-end fixation and satisfies the needs of its biggest fans....More

It's been a while since the last What I Use, but there haven't been many major changes since late last year: Surface Pro 3 has become my go-to travel companion, I've added a third cellphone line for testing Windows Phone, Android and iPhone side-by-side, and have rotated through some new tablets and other devices. We've also switched from FIOS to Comcast and added to our set-top box collection....More